In my 20+ years working in cyber security,
I’ve reported more than 1000 vulnerabilities to a wide variety of companies,
most found by our team at IOActive as well as some found by me. In reporting
these vulnerabilities to many different vendors, the response (or lack thereof)
I got is also very different, depending on vendor security maturity. When I
think that I have seen everything related to vulnerability disclosures, I’ll have
new experiences – usually bad ones – but in general, I keep seeing the same
problems over and over again.
I’ve decided it would be a good idea to write
about some Laws of Disclosure in order to help those companies that are not
mature enough to improve their vulnerability disclosure processes.
Law 1: The
vulnerability reporter is always right
It doesn’t matter if the vulnerability reporter
is gross, stupid, or insults you, they have zero-day findings on your
technology, so you’d better say “please” and “yes” to everything you can. It’s
less complicated to deal with someone you don’t like than dealing with 0days in
the wild, hurting your business.
Have an easy-to-find and simple way to report vulnerabilities
It shouldn’t take more than a few seconds
browsing your website to find how to report a vulnerability. Make it easy and
simple as possible; otherwise, you’ll learn about the vulnerability on the
Your rules and procedures are not important
Some vulnerability reporters don’t care about
your rules and procedures for reporting, they don’t want your bounty or
compensation. They don’t have to follow your rules; they just want the
vulnerability reported and fixed.
Keep vulnerability reporter up to date
Never keep the vulnerability reporter in the
dark. Instantly acknowledge when you receive a vulnerability report, and then
keep the finder posted about your actions and plans.
Don’t play dirty
Never try to trick the reporter in any way to
buy time or avoid public disclosure. Sooner or later the reporter will find out
and 0day you. Time is never on your side, so use it wisely.
The vulnerability reporter is working for free
for you, so always compensate them in some way, like a bounty or at least
public acknowledgement and thanks.
Forget NDAs and threats
The vulnerability reporter is not part of your
company and don’t care about your lawyers. The vulnerability must always be
fixed and then published, not hidden.
Put the right people in place
Your people handing vulnerability reports
should have the right knowledge and proper training. Never put lawyers or
marketing people in charge of vulnerability disclosure; vulnerability finders
don’t want to hear BS from them.
Properly coordinate the release dates of your
fix and the vulnerability advisory publication. You don’t want your customers
exposed for one second.
Don’t sweep vulnerabilities under the carpet
with silent fixes without telling your customers how and why they should
update. If you do, the vulnerability reporter will make sure your customers
know it, and they won’t be happy when they find out.
These Laws are based on my own experience, but
if I’ve missed something, feel free to share your own experience and help contribute
to a better vulnerability disclosure process. Also, if you ever need help with
disclosures yourself, let me know via Twitter DM or email. I’ll be happy to